Viewstate is a cool mechanism in ASP.NET platform to maintain information supplied from the client-side. Every input will be submitted to the server with POST method by default. Some HTML input objects will contain javascript function calling back to the server as it is shown below.
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}

This mechanism could prevent CSRF(Cross-Site Request Forgery) attack implicitly. You have to write quite a few lines of code in PHP, if you want to prevent this kind of attack. However, viewstate is a trade-off between performance and security. Thus, disable viewstate on the page or on the objects you don’t need. Enable it only whenever you need it. Use viewstate wisely.

I often see some applications hide its communication data with base64 and gzip compression mechanism. With Burp proxy, there is no option to crack this kind of data. Therefore, I decided to help Burp with php script.Download and rename to myencode.php
<?php
if (isset($_POST['estr']))
{ if (!strcmp($_POST['cmd'],"Decode"))
{ $words = gzuncompress(base64_decode($_POST['estr']));
}
else
{ $words = base64_encode(gzcompress($_POST['estr']));
}
}
?>